Madrid, December 24 2004 - Today's report deals with three worms -Santy.A, which started to spread rapidly at the beginning of the week, Mugly.C and Gaobot.CDO-, the Constructor/Mastof virus, and a Trojan called Mastof.A.

Santy.A is a worm that uses the viewtopic.php vulnerability to spread via the Internet. It affects servers that have versions earlier than 2.0.11 of the phpBB installed and which have not been updated.

After infecting a computer, Santy.A takes the following action, among others:

- It uses Google to search for vulnerable computers.

- It overwrites all files with ASP, HTM, PHP, PHTM and SHTM extensions, and replaces them with HTML code that displays a message.

- It slows down the affected server and Internet access.

The second worm we're looking at today is Mugly.C, which spreads using a variable email message, with an attachment called ATTACHED.ZIP. This file contains an executable which is actually the worm itself and will be sent in an email.

Alter it is run, Mugly.C displays an image on screen, and installs and runs another worm that Panda Software detects as Gaobot.CDO.worm.

Gaobot.CDO affects computers with Windows 2003/XP/2000/NT operating systems, by exploiting the LSASS, RPC DCOM and WebDAV vulnerabilities. In order to spread it makes copies of itself in the shared network resources that it manages to access. Gaobot.CDO also connects to an IRC Server and awaits orders.

The next codes we are looking at in today's report are Constructor/Mastof and Mastof.A, which are closely linked to each other, as the second one is a Trojan that has been created by the first to steal Yahoo Messenger passwords.

Mastof.A, and the Trojans generated by Constructor/Mastof, include the following features: they execute every time the PC is restarted, they stay resident in the PC and they sent the password they find to a specific Yahoo address.